is there a way to loop from 'a' to 'z' using th:each block of thymeleaf in a similar way we do using #numbers.sequence?
For the moment I am using a static array of chars in the back-and and passing this to the front-end.
You can do the following:
<div th:with="letters='abcdefghijklmnopqrstuvwxyz'"
th:each="num : ${#numbers.sequence(0, 25)}">
<div th:text="${#strings.substring(letters, num, num+1)}"></div>
</div>
This still requires a hard-coded string (as you can see), which you could just as easily pass to Thymeleaf as a Java String (not as an array of chars). But maybe it's more acceptable than what you are currently doing.
I don't know of any way in which Thymeleaf can directly use Java's (char)('A' + num) technique - otherwise that would probably be what you are looking for. I think that is not possible. Unless/until someone proves it is possible.
Update
To prove myself somewhat wrong, I used the following approach:
<div th:each="num : ${#numbers.sequence(97, 122)}">
<div th:text="${#conversions.convert(num, 'java.lang.Character')}"></div>
</div>
This prints a through z by converting the decimal ASCII values to Java chars.
However this is only valid if you are using the Spring dialect of Thymeleaf - which is not mentioned in your question - so may be of no help to you.
A solution using the Thymeleaf standard dialect (no Spring) is to define a custom conversion service.
That requires more coding than your current approach - so again, is probably not what you want. But I mention it just in case. How you implement this depends more specifically on how you have integrated Thymeleaf into your program.
Related
I've seen a lot of answers about how to send PUT/DELETE/PATCH HTTP requests with thymeleaf, and it's by using th:method = "the_specific_method", but i haven't found the thymeleaf specification about that. Can anyone help showing me where is it?
Thanks in advance.
I've tried to google for the answer, but no luck.
th:method isn't special to Thymeleaf -- it's just like any other plain old attribute which will output the result of an expression to the method attribute. It doesn't do (or care about) anything else. You can put any string and/or string expression into it, and Thymeleaf will happily output it.
th:method="${'the_specific_method'}"
will output
method="the_specific_method"
without regards to whether or not it's valid. If you want to learn about the method attribute, you just need to learn about how method works in plain old regular html and how browsers (and/or Spring) work with it.
I have a form template using thymeleaf 3 and I want to use th:field="*{dueDate}" syntax to bind my model property. I try to do the same as th:value="${#strings.substring(model.dueDate, 0, 19)}" but all my attempts fail.
It is possible to do this into a th:field instead of a th:value ?
EDIT:
I have to substring my date from java.sql.timestamp because it's a little bit different as the format used by my datepicker (2020-01-30 13:00:00.0 instead of 2020-01-30 13:00:00). I understand it isn't a good idea to substring the date string but It is difficult to have a entity method to bind the value as well with th:field. Probably I will use th:value in this case to give me the possibility to create that entity method providing the good format.
I'm trying to figure out if this code is safe.
Is it at all possible to attack this code?
<script>
data = <%= data.to_json.html_safe %>;
</script>
In other words, what value of data would result in a successful attack?
It kind of depends on what you are doing with the data and the version of Rails you are using. If you are using anything past Rails 3 then no, calling html_safe could make your code vulnerable to XSS.
Basically, what you are doing is telling the app that data.to_json is html safe. However, the application doesn't actually know that for sure.
What html_safe does is it marks a string as safe to be inserted directly into HTML without escaping anything within the string. As described in the method api, it should never be used on user input. Constructed input may be safe, but it is up to you to ensure that it is.
to_json converts a given string into JSON. By default, it does not escape HTML characters like <, / >
Thus, if data is user input, it is entirely possible for someone to insert their own script into it and have it marked as safe (and thus rendered as html) the way it is currently written.
The way this is written, if someone does the following:
data = "</script><script>insert_xss_attack_here</script>"
Your code will not escape the script, resulting in the script being executed by the code.
Many people have described the issues with html_safe and to_json:
This deals specifically with to_json.html_safe
http://jfire.io/blog/2012/04/30/how-to-securely-bootstrap-json-in-a-rails-view/
https://bibwild.wordpress.com/2013/12/19/you-never-want-to-call-html_safe-in-a-rails-template/
http://makandracards.com/makandra/2579-everything-you-know-about-html_safe-is-wrong
I have hashmap that was created on a page using the struts2 <s:set> tag. It looks something like this
<s:set var="mymap" value="#request.mymap"/>
At some point in the page, i need to get a value from the hashmap based upon a key, and i want to do it using OGNL.
The key is generated based upon some logic, which i store using another <s:set> tag. Something like this
<s:set var="mykey" value="1">
I need to get a value from the hashmap using this key. And I need to display it.
How do I simply call the get function on the hashmap?
I tried this
<s:property value="#mymap[#mykey]"/>
and this
<s:property value="#mymap[%{#mykey}]"/>
and this
<s:property value="%{#mymap[%{#mykey}}]"/>
The third one obviously does not work because of the nesting problem.
But the same nesting logic is applicable to the second case as well, due to the manner the value attribute is handled. However none seem to work for me.
The issue here is that my key is unknown. It is a dynamically generated string based upon some pattern. I need to access the object stored in the hashmap using this dynamic key. And due to the inability of nesting ognl, I am in a fix.
I suppose the issue is very simple. I almost feel that I get it, but somehow the solution eludes me.
I suppose I was using a different version of struts wherein using the %{} was required for the expression to be evaluated. I changed the jar files now.
This is what did the job for me:
<s:property value="#mymap.[#mykey2]"/>
My problem was coming because I was trying to use it in a href for a s:a tag. And without the %{} operator, the expression was not being evaluated.
So, i guess, i was right in the beginning itself. Rest of the time, it was just me being silly. :>
Update:
I wrote a blog post on the issue, in case anyone is interested.
http://mycodefixes.blogspot.com/2010/11/struts-2-creating-and-accessing-maps.html
I would like to parse standard security expressions like hasRole etc. to get their value in a variable (in a JSP). How can I do that? SpelExpressionParser is the standard EL parser, but I don't think it will parse the security expression.
The simpliest approach is to use a <sec:authorize> tag and modify a desired variable inside its body.
If you actually want to evaluate expressions manually, look at the source of AuthorizeTag - it gets the first bean of type WebSecurtyExpressionHandler from the web application context and uses it to obtain ExpressionParser and EvaluationContext.
I've posted an answer in this topic here - How to parse spring security expressions programmatically. I think this answers your question also.